Provisioning control apparatus and method for provisioning electronic components or devices

ABSTRACT

A provisioning control apparatus is configured to be coupled to a provisioning equipment server electrically connectable with one or more electronic devices for provisioning the electronic devices with security sensitive provisioning data. The provisioning control apparatus includes a processor configured to generate a group context for creating a group of provisioning control apparatuses. The processor is further configured to generate the security sensitive provisioning data based on the group context. The provisioning control apparatus includes a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server. The communication interface is configured to provide the group context to a security server for generating a proxy provisioning control apparatus on the security server. The proxy provisioning control apparatus is configured to provide the group context to a first further provisioning control apparatus for enrolling the first further provisioning control apparatus for the group of provisioning control apparatuses. The first further provisioning control apparatus is configured to be coupled to the provisioning equipment server.

TECHNICAL FIELD

The invention relates to the secure production and provisioning ofelectronic components or devices. More specifically, the inventionrelates to an apparatus and a method for controlling the provisioning ofelectronic components or devices.

BACKGROUND OF THE INVENTION

The production and assembly of state-of-the-art electronic equipment,such as smartphones, tablet computers as well as other types ofelectronic consumer or IoT equipment, often happens in a distributedfashion in that the various electronic components or devices, includingthe electronic chips of electronic consumer equipment are manufactured,provisioned or personalized and finally assembled at different locationsand by different parties. For instance, an electronic chip for anelectronic equipment may be originally manufactured by a chipmanufacturer and provisioned by another party with security sensitiveprovisioning data, such as cryptographic keys and/or a firmware, beforebeing assembled into the final end product by the manufacturer of theelectronic equipment, e.g. an OEM. A similar problem may arise inin-system programming (ISP), also called in-circuit serial programming(ICSP), where electronic components may be programmed, i.e. providedwith security sensitive provisioning data, while already installed in anelectronic equipment, rather than requiring the electronic component,e.g. electronic chip, to be programmed prior to installing it into theelectronic equipment.

For provisioning electronic components or devices with securitysensitive provisioning data by a third party it is known to use aprovisioning control apparatus in the form of a secure hardware securitymodule (HSM). Often the security sensitive provisioning data may containor be based on OEM keys securely stored and/or processed by such asecure HSM. If there is a failure or malfunction of such a secure HSM,for instance, due to physical damage caused by a factory fire or afork-lift truck damaging the HSM these OEM keys might be lost due to thesecure nature of the HSM. Any backups of the OEM keys from such a secureHSM cannot be recovered onto a replacement HSM due to the secure natureof the system. The result would be that the factory line would have tostop provisioning electronic components until a new secure HSM has beeninstalled and the OEM secret keys have been wrapped for the new secureHSM, resulting in significant delay and cost in manufacturing.

Thus, there is a need for improved apparatuses, in particular HSMs, andmethods for controlling the secure provisioning of electronic componentsor devices, such as chips or microprocessors, for electronic equipmentin a fail-safe manner.

SUMMARY OF THE INVENTION

It is therefore an object of the invention to provide improvedapparatuses, in particular HSMs, and methods for controlling the secureprovisioning of electronic components or devices, such as chips ormicroprocessors, for electronic equipment in a fail-safe manner.

The foregoing and other objects are achieved by the subject matter ofthe independent claims. Further implementation forms are apparent fromthe dependent claims, the description and the figures.

According to a first aspect, a provisioning control apparatus, inparticular a secure HSM, configured to be coupled to a provisioningequipment server is provided. As will be described in more detail below,the provisioning control apparatus according to the first aspect may beconsidered as a root or parent provisioning control apparatus. Theprovisioning equipment server is electrically connectable with one ormore electronic components for provisioning the one or more electroniccomponents with security sensitive provisioning data.

The electronic components may comprise chips, microprocessors or otherprogrammable electronic components, such as Flash memories, applicationprocessors, memory control units (MCUs), electrically erasableprogrammable read only memories (EEPROM), programmable logic devices(PLDs), field programmable gate arrays (FPGAs), systems-on-chip (SoC),and microcontrollers incorporating non-volatile memory elements.

The provisioning control apparatus according to the first aspectcomprises a processor configured to generate a group context forcreating a group of provisioning control apparatuses, wherein eachprovisioning control apparatus is configured to generate the securitysensitive provisioning data and to be coupled to the provisioningequipment server for providing the security sensitive provisioning datato the provisioning equipment server. To this end, the processor isconfigured to generate the security sensitive provisioning data based onthe group context.

The provisioning control apparatus according to the first aspect furthercomprises a communication interface configured to provide the securitysensitive provisioning data to the provisioning equipment server. Thecommunication interface is further configured to provide the groupcontext to a security server for generating a proxy provisioning controlapparatus on the security server, wherein the proxy provisioning controlapparatus is configured to provide the group context to a first furtherprovisioning control apparatus for enrolling the first furtherprovisioning control apparatus for the group of provisioning controlapparatuses, wherein the first further provisioning control apparatus isconfigured to be coupled to the provisioning equipment server.

Thus, a failure of the provisioning control apparatus can be compensatedby the proxy provisioning control apparatus on the security server inthat the proxy provisioning control apparatus may generate the firstfurther provisioning control apparatus which may continue provisioningthe one or more electronic components with security sensitiveprovisioning data.

In an embodiment, the communication interface is further configured toprovide the group context to a second further provisioning controlapparatus for enrolling the second further provisioning controlapparatus for the group of provisioning control apparatuses, wherein thesecond further provisioning control apparatus is configured to becoupled to the provisioning equipment server.

In an embodiment, the communication interface is further configured toreceive one or more wrapped OEM keys from an OEM server and wherein theprocessor is configured to unwrap the one or more wrapped OEM keys basedon the group context and to generate the security sensitive provisioningdata based on the one or more OEM keys.

In an embodiment, the one or more OEM keys comprise an OEM certificate.

In an embodiment, the group context comprises a group private key, acertificate for the group private key and a group encryption key usedfor encryption and/or decryption.

In an embodiment, the processor is further configured to assign anidentity to the first further provisioning control apparatus, whereinthe identity of the first further provisioning control apparatus isindicative of the provisioning control apparatus and the first furtherprovisioning control apparatus.

In an embodiment, the processor is further configured to assign anidentity to a second further provisioning control apparatus, wherein theidentity of the second further provisioning control apparatus isindicative of the provisioning control apparatus and the second furtherprovisioning control apparatus.

According to a second aspect a provisioning control apparatus isprovided, wherein the provisioning control apparatus is configured to becoupled to a provisioning equipment server, the provisioning equipmentserver being electrically connectable with one or more electronicdevices for provisioning the one or more electronic devices withsecurity sensitive provisioning data. The provisioning control apparatusaccording to the second aspect comprises a communication interfaceconfigured to receive a group context generated by a first furtherprovisioning control apparatus from a proxy provisioning controlapparatus on a security server for creating a group of provisioningcontrol apparatuses. The provisioning control apparatus according to thesecond aspect further comprises a processor configured to generate thesecurity sensitive provisioning data based on the group context. Thecommunication interface is further configured to provide the securitysensitive provisioning data to the provisioning equipment server.

In an embodiment, the communication interface is further configured toreceive one or more wrapped OEM keys from a remote OEM server and theprocessor is configured to unwrap the one or more wrapped OEM keys basedon the group context and to generate the security sensitive provisioningdata based on the one or more OEM keys.

In an embodiment, the one or more OEM keys comprise an OEM certificate.

In an embodiment, the group context comprises a group private key, acertificate for the group private key and a group encryption key usedfor encryption and/or decryption

In an embodiment, the communication interface is further configured toprovide the group context to a second further provisioning controlapparatus for enrolling the second further provisioning controlapparatus in the group of provisioning control apparatuses, wherein thesecond further provisioning control apparatus is configured to becoupled to the provisioning equipment server for provisioning theelectronic devices with the security sensitive provisioning data.

In an embodiment, the communication interface is further configured toreceive an identity from the first further provisioning controlapparatus or the proxy provisioning control apparatus on the securityserver, wherein the identity of the provisioning control apparatus isindicative of the provisioning control apparatus and the first furtherprovisioning control apparatus.

In an embodiment, the processor is configured to assign an identity tothe second further provisioning control apparatus, wherein the identityof the second further provisioning control apparatus is indicative ofthe provisioning control apparatus, the first further provisioningcontrol apparatus and the second further provisioning control apparatus.

According to a third aspect a provisioning system is provided,comprising a provisioning control apparatus according to the firstaspect, a provisioning control apparatus according to the second aspect,a remote security server comprising a proxy provisioning controlapparatus, and a provisioning equipment server being electricallyconnectable with one or more electronic devices for provisioning the oneor more electronic devices with the security sensitive provisioningdata.

According to a fourth aspect a method is provided for operating aprovisioning control apparatus configured to be coupled to aprovisioning equipment server, the provisioning equipment server beingelectrically connectable with one or more electronic devices forprovisioning the one or more electronic devices with security sensitiveprovisioning data. The method comprises the steps of:

-   generating a group context for creating a group of provisioning    control apparatuses;-   generating the security sensitive provisioning data based on the    group context;-   providing the security sensitive provisioning data to the    provisioning equipment server; and-   providing the group context to a security server for generating a    proxy provisioning control apparatus on the security server, wherein    the proxy provisioning control apparatus is configured to provide    the group context to a first further provisioning control apparatus    for enrolling the first further provisioning control apparatus for    the group of provisioning control apparatuses, wherein the first    further provisioning control apparatus is configured to be coupled    to the provisioning equipment server.

Embodiments of the invention can be implemented in hardware and/orsoftware.

BRIEF DESCRIPTION OF THE DRAWINGS

Further embodiments of the invention will be described with respect tothe following figures, wherein:

FIG. 1 shows a schematic diagram illustrating a provisioning systemincluding a provisioning control apparatus according to an embodiment ofthe invention;

FIG. 2 shows a signaling diagram illustrating in more detail processingsteps implemented by a provisioning control apparatus according to anembodiment for enrolling a backup provisioning control apparatus into agroup;

FIG. 3 shows a signaling diagram illustrating in more detail processingsteps implemented by a provisioning control apparatus for enrolling abackup proxy provisioning control apparatus into a group;

FIG. 4 illustrates the assignment of identities based on a tree or graphstructure within a group of provisioning control apparatuses accordingto an embodiment; and

FIG. 5 shows a flow diagram illustrating a method for operating aprovisioning control apparatus according to an embodiment.

In the figures, identical reference signs will be used for identical orat least functionally equivalent features.

DETAILED DESCRIPTION OF EMBODIMENTS

In the following detailed description, reference is made to theaccompanying drawings, which form part of the disclosure, and in whichare shown, by way of illustration, specific aspects in which the presentinvention may be implemented. It is understood that other aspects may beutilized and structural or logical changes may be made without departingfrom the scope of the present invention. The following detaileddescription, therefore, is not to be taken in a limiting sense, as thescope of the present invention is defined by the appended claims.

For instance, it is understood that a disclosure in connection with adescribed method may also hold true for a corresponding device or systemconfigured to perform the method and vice versa. For example, if aspecific method step is described, a corresponding device may include aunit to perform the described method step, even if such unit is notexplicitly described or illustrated in the figures. Further, it isunderstood that the features of the various exemplary aspects describedherein may be combined with each other, unless specifically notedotherwise.

FIG. 1 shows a schematic diagram of a provisioning system 100 accordingto an embodiment of the invention, including a first or initialprovisioning control apparatus 140 a according to an embodiment of theinvention. In an embodiment, the first or initial provisioning controlapparatus 140 a may be implemented as a first or initial secure HSM 140a.

As will be described in more detail further below, the provisioningsystem 100 may comprise in addition to the first secure HSM 140 a aremote server 110, a security server 120 and a provisioning equipmentserver 160 for provisioning or personalizing electronic devices orcomponents 170, such as chips or microprocessors 170 with securitysensitive provisioning data 150, such as secret electronic keys,certificates and/or configuration data. As illustrated in FIG. 1 , thefirst secure HSM 140 a, the remote server 110 and the security server120 may be configured to communicate with each other via a communicationnetwork, such as the Internet. Thus, the first secure HSM 140 a, theremote server 110 and the remote security server 120 may be at differentlocations and under the control of different entities. As illustrated inFIG. 1 , the first secure HSM 140 a and the provisioning equipmentserver 160 may be located within a production environment 130, such as apersonalization factory 130. In an embodiment, the remote server 110 maybe under the control or associated with an electronic equipmentmanufacturer, e.g. an OEM, wherein the electronic equipment manufacturerassembles electronic equipment, such as smartphones, tablet computers orother types of IoT or electronic consumer equipment, using theelectronic devices or components 170 provisioned by the provisioningequipment server 160 with the security sensitive provisioning data 150.In an embodiment, at least a portion of the security sensitiveprovisioning data 150 may include a firmware and/or secret electronickeys of the electronic equipment manufacturer associated with the remoteOEM server 110.

In an embodiment, the first secure HSM 140 a, the remote OEM server 110and the remote security server 120 are configured to securelycommunicate with each other using one or more cryptographic schemes,such as a public key infrastructure and/or a hybrid cryptographicscheme. In an embodiment, the first secure HSM 140 a may be under theremote control of the security server 120.

The first secure HSM 140 a is configured to be coupled to theprovisioning equipment server 160, for instance, by a wired or awireless connection. In an embodiment, the provisioning equipment server160 may be implemented as a personal computer (PC) and the first secureHSM 140 a may be implemented as a PC card inserted in the provisioningequipment server 160. The provisioning equipment server 160 may comprisean electrical and/or mechanical interface for interacting directly orindirectly via a provisioning equipment with the electronic devices orcomponents 170. For instance, the provisioning equipment server 160 maycomprise a personalization tray for personalizing a batch of electronicdevices or components 170 inserted therein.

In the embodiment illustrated in FIG. 1 the first secure HSM 140 acomprises a processor 141 a, a communication interface 143 a and anon-transient memory 145 a. The processor 141 a of the first secure HSM140 a may be configured to encrypt the security sensitive provisioningdata 150 for obtaining encrypted security sensitive provisioning data150. Moreover, the communication interface 143 a of the first secure HSM140 a may be configured to provide the encrypted security sensitiveprovisioning data 150 to the provisioning equipment server 160 forstoring the encrypted security sensitive provisioning data 150 in anon-volatile memory, e.g. a Flash memory of the electronic device orcomponent 170. In an embodiment, the security sensitive provisioningdata 150 may comprise one or more electronic keys, one or morecertificates and/or configuration data, i.e. data defining one or moresecurity configurations of the electronic device or component 170, inparticular register settings. As shown in FIGS. 1 and 3 , the furthersecure HSMs 140 b,c may comprise similar or the same functionalcomponents as the first secure HSM 140 a, namely a processor 141 b,c, acommunication interface 143 b,c and a memory 145 b,c.

As will be described in more detail below under further reference toFIG. 2 , the first or initial secure HSM 140 a is configured to generatea group of secure HSMs by enrolling one or more further secure HSMs 140b, 140 c into the group of secure HSMs 140 a-c. In an embodiment, allsecure HSMs 140 a-c may be provided by the same supplier and compriseone or more supplier certificates provided by a supplier public keyinfrastructure (PKI). This allows a particular secure HSM 140 a-c toprove that it is a genuine product from the supplier by demonstrating itcan sign using a key that is confirmed through a certificate chain thatgoes up to the root of trust certificate of the supplier.

As will be described in more detail below, for generating the group ofsecure HSMs and enrolling a new HSM into the group the first or initialsecure HSM 140 a is configured to generate a dataset (referred to hereinas “secret group context”), which contains a top-level group private keyused as a Certificate Authority (CA) for the group, i.e. the groupidentity and a certificate (for instance, a X.509 certificate) as theGroup CA authority certificate. Moreover, the group context comprises agroup encryption key used for encryption and/or decryption.

In an embodiment, the group encryption key may be a group encryptionprivate key or a group encryption symmetric key. In case the groupencryption key is a group encryption private key the group context mayfurther comprise a certificate, for instance, a X.509 certificate forthe corresponding group encryption public key.

In an embodiment, the group context may further comprise a groupsignature private key used for generating a digital signature and, thus,authentication as well as a certificate, for instance, a X.509certificate for the corresponding group signature public key.

In an embodiment, the group context may further comprise additionalcryptographic keys and corresponding certificates for other services.

As already described above, in an embodiment, the top-level groupcertificate of the group context chains back to a root certificate, forinstance, the root certificate of the entity supplying the secure HSMs140 a-c. This allows to cryptographically prove that the group masterkey is genuine. This extra level of security makes it possible that thefirst secure HSM 140 a does not have to release its own private key evento the other proven, i.e. authenticated secure HSMs 140 b, 140 c. Thegroup master private key is to be given to the other HSMs in the groupat a later stage, as will be described in more detail in the following.

As already described above and illustrated in FIG. 2 , the first secureHSM 140 a may initiate or be triggered to create a new group of secureHSMs 140 a-c (see 201). In an embodiment, this results in new groupcertificate chain being created with the corresponding private keys. Inan embodiment, the group certificates 203 may be extracted and used inplace of a certificate of a single HSM for wrapping, i.e. encrypting theOEM keys 205. As illustrated in the embodiment of FIG. 2 , these OEMkeys 205 may be wrapped by the remote OEM server 110 for providing thewrapped OEM keys 207 to the group of secure HSMs 140 a-c. As will beappreciated, the result of this wrapping operation is a set of keys thatmay be similar to the set for a single HSM, but can be shared with othersecure HSMs by means of the group enrolment operations described in thefollowing. In an embodiment, the OEM keys 207 may comprise an OEMcertificate and the processor 141 a is configured to generate thesecurity sensitive provisioning data 150 based on the OEM certificate.In an embodiment, the security sensitive provisioning data 150 maycomprise the OEM certificate or a certificate derived from the OEMcertificate.

As will be described in more detail below, none of the secure HSMs 140a-c fulfills a kind of “king pin” position in that its failure or losswould result in a failure of the other secure HSMs as well. As aconsequence thereof, not only the first secure HSM 140 a availablewithin the provisioning environment 130, but also any one of the othersecure HSMs 140 a-c already belonging to the group may enroll a furthersecure HSM into the group of secure HSMs.

For enrolling a further HSM into the group, which will be described inmore detail in the context of FIG. 2 , a secure communication should beused between the HSMs that are involved in the enrollment process. Thismay be achieved by the HSMs that are involved using a securecommunication channel over the same network, such as a LAN or WLAN, orusing a manual exchange of USB fobs, for instance, in case of a remoteor disconnected further HSM to be enrolled into the group of secureHSMs.

As illustrated in FIG. 2 , in a stage 211 b the first secure HSM 140 asends a “Group Announcement” message to the not yet enrolled furthersecure HSM 140 b. In an embodiment, the “Group Announcement” message maycomprise a certificate and/or digital signature of the first secure HSM140 a as well as one or more of the group certificates and/or signaturesdescribed above. Based on these one or more certificates and/orsignatures the not yet enrolled further secure HSM 140 b may verify thatthe first secure HSM 140 a is a genuine product, i.e. trustworthy andthe HSM group is a genuine HSM group within the same PKI hierarchy.

In stage 211 b shown in FIG. 2 the communication interface 143 b of thecurrently enrolling further HSM 140 b receives the “Group Announcement”message. In response thereto, the processing circuitry 141 b of thecurrently enrolling further secure HSM 140 b validates that the firstHSM 140 a is trustworthy and then generates a “Group Enrollment”request, which is transmitted in a stage 213 b of FIG. 2 by thecommunication interface 143 b of the currently enrolling further HSM 140b to the first HSM 140 a. In an embodiment, the “Group Enrollment”request generated by the currently enrolling further secure HSM 140 bmay include one of more certificates and/or digital signatures of thecurrently enrolling further secure HSM 140 b, for instance, for provingthat it is a genuine, i.e. trustworthy secure HSM. In an embodiment, theone or more certificates contained within the “Group Enrollment” requestgenerated by the currently enrolling further secure HSM 140 b maycomprise a certificate for a secure wrapping function, i.e. for a keyused for the secure wrapping function.

In response to receiving the “Group Enrollment” request the processingcircuitry 141 a of the first HSM 140 a validates based on a certificateand/or digital signature contained within the request that the currentlyenrolling further secure HSM 140 b is trustworthy. If this is the case,the communication interface 143 a of the first secure HSM 140 atransmits in a stage 215 b of FIG. 2 a “Group Enrollment” response tothe currently enrolling further HSM 140 b. The “Group Enrollment”response comprises the group private keys wrapped only for the currentlyenrolling further HSM 140 b, i.e. using the public key of the currentlyenrolling further secure HSM 140 b. In an embodiment, the “GroupEnrollment” response 215 b may comprise a digital signature that allowsthe processing circuitry 141 b of the currently enrolling further secureHSM 140 b to validate the “Group Enrollment” response 215 b. In responseto receiving the “Group Enrollment” response 215 b the further secureHSM 140 b adopts the group and may store the one or more groupcertificate chains and/or one or more group private keys in the memory145 b for future use as a full member of the group (see 217 b).

As a result of the above group enrollment process both the first secureHSM 140 a (referred to as “Secure HSM A” in FIG. 2 ) as well as thefurther secure HSM 140 b (referred to as “Secure HSM B” in FIG. 2 ) mayaccept data, such as provisioning job control packages, from the OEMserver 110 and use this data for provisioning the electronic chips 170.This is because, in an embodiment, the remote OEM server 110 wraps thesecret OEM keys 205 using the group identity keys rather than the publickey of the first secure HSM 140 a.

As illustrated in FIG. 2 , once the further secure HSM 140 b has beenenrolled by the first secure HSM 140 a into the group of secure HSMs,the same enrollment process as described above may be used by thefurther secure HSM 140 b to enroll an additional secure HSM 140 c intothe group of secure HSMs (as illustrated in 211 c-217 c of FIG. 2 ).Likewise, the additional secure HSM 140 c may be enrolled by the firstsecure HSM 140 a.

In an embodiment, the group of secure HSMs 140 a-c may be configured tomonitor the number of electronic chips 170 provisioned for the OEM. Thisprovides an additional security for the OEM in that an unnoticed cloningof electronic chips 170 with any HSM of the group of secure HSMs 140 a-cwould not be possible. To this end, in an embodiment, a secure hubentity may be provided to monitor the number of electronic chips 170managed by each of the secure HSMs 140 a-c of a group. In an embodiment,each of the HSMs 140 a-c of a group may be part of a differentprovisioning line for provisioning different batches or types ofelectronic chips 170. Thus, in an embodiment, each of the secure HSMs140 a-c of a group may be required to request authorization from thesecure hub entity to control the provisioning of a specific number ofelectronic chips 170 by the respective secure HSM 140 a-c. To this end,in an embodiment, the HSMs 140 a-c are connected with each other over acommon network and may check by means of the secure hub entity whether agroup product count has been incremented by one of the other HSMs. In anembodiment, the secure hub entity may be a specialized central secureHSM or one of the HSMs of the group of secure HSMs 140 a-c that has beenassigned a product count before. In such an embodiment, the secure HSMimplementing the secure hub entity may apportion its product count forthe other specific secure HSMs of the group and transfer the count via asecure message and deduct the count from its overall count so thatcloning is not possible.

As already described above, the keys (or other type of data, such asprovisioning job control data) wrapped by the remote OEM server 110 forthe group of secure HSMs 140 a-c may be submitted to any one of the HSMsin the group and it has all the information to provision the electronicchips 170. This renders backups from the secure HSMs 140 a-c unnecessaryas the provisioning job control data may be stored outside and backed upusing normal backup systems. On catastrophic failure of one HSM of thegroup another HSM of the group may be substituted and take over withoutthe provisioning environment 130 having to go back to the OEM andrequest re-wrapping its secrets for another HSM. The advantage of thisis that whichever HSM 140 a-c catastrophically fails that the remainingone may then put out a new “Group Announcement” and enroll an additionalsecure HSM to replenish the HSMs within the group, as already describedabove in the context of FIG. 2 .

As will be appreciated, the mechanism described above protects against asingle failure and allows production to continue. However, this doesmean that all secure HSMs of the group must have been granted count toprovision electronic devices 170 by the OEM in advance. If the OEM hasnot supplied all the HSMs of a group with enough credit to get through adefined time period then the factory would come to a halt. This isbecause the credit is against the individual secure HSM identities, notthe group identity. Thus, in a further embodiment, the credit may beraised against the group identity, not the individual HSMs. Thisrequires that the secure HSMs are in contact and are able to reach thesecure hub entity at all times to request permission to use a certainrequested count (or one or a batch) against the OEM product. As alreadydescribed above, the secure hub entity may be one of the secure HSMs ofthe group.

In another embodiment, the credit may be spent by each secure HSM 140a-c requesting a count to be taken from an OEM-set amount using ablock-chain mechanism so that each HSM 140 a-c can be sure there isenough for it without needing a central authority to arbitrate thecount.

In another embodiment, proprietary certificates might be used, ratherthan standard X.509 certificates. For instance, some certificates maycontain two or more public keys, for instance one certificate mightcontain both a signing and an encryption public key and be signed by ahigher-level signing key.

In an embodiment, the secure HSMs 140 a-c may be configured to enroll toa single group only. In a further embodiment, one or more of theplurality of secure HSMs 140 a-c may belong to more than one group, i.e.multiple groups may be permitted on each secure HSM 140 a-c. Forinstance, in an embodiment, a first group of the plurality of HSMs 140a-c may be associated with a first OEM, while a second group of theplurality of HSMs 140 a-c may be associated with a different second OEM.As will be appreciated, this allows different OEMs to have their owngroups of secure HSMs 140 a-c within the provisioning environment 130,which might be of interest for provisioning electronic components 170for very security-sensitive equipment of an OEM.

In a further embodiment, the first secure HSM 140 a may be configured toenroll only specific further HSMs 140 b,c into a group based on a whitelist of identities of allowed HSMs 140 b,c or a black list ofnon-allowed HSMs 140 b,c. In an embodiment, the first HSM 140 a maycheck the identity of the further HSM 140 b to be enrolled in the HSMgroup based on the “Enroll request” message 213 b.

As will be appreciated, in order to be failsafe a group has to containat least two secure HSMs 140 a-c. This is because the “group enrolment”requires the identity of the further HSM to be received by the first HSM140. Thus, according to a further embodiment illustrated by 311-315 and311 c-315 c in FIG. 3 , a proxy secure HSM 120 a is provided configuredto enroll a second secure HSM 140 c into the group, when the firstsecure HSM 140 a is no longer functioning. In an embodiment, the proxysecure HSM 120 a may be provided by the remote security server 120.

In an embodiment, the “enroll response” 315 may contain an unlock codeprovided by the first secure HSM 140 a. The unlock code is an additionalsecurity measure, so that the first secure HSM 140 a (or the entityoperating the first secure HSM 140 a for provisioning electronic chips170) can be sure the proxy secure HSM 120 a does not provide the groupcontext information to another secure HSM that is not associated withthe provisioning environment 130. The unlock code may be used to addanother level of encryption to the group context. The group contexts 301provided by different HSMs to the proxy secure HSM 120 a may be archivedsecurely so that they are available in case of a catastrophic failure ofthe first secure HSM 140 a (see 317 and 317 c).

As will be appreciated, a “backup” of the first secure HSM 140 a itselfbecomes generally unnecessary, as it is backup of the job controlpackage from the OEM that becomes most important. However, a backup ofthe group context may be done from the secure HSM 140 a to a remotedrive prior to a secure HSM upgrade simply for the purpose of ensuringthat a routine software upgrade does not accidentally destroy the groupinformation. Such a backup is encrypted to that HSM and only readable bythat HSM. This backup becomes useless if the HSM fails in some way asthe HSM individual keys would be lost. This backup is useful if the HSMis recoverable following a problem on upgrade by a further upgrade.

As already described above, embodiments of the present invention allowto group the HSMs 140 a-c within a provisioning environment 130 togetherand to operate the group so that any HSM 140 a-c in the group mayperform the provisioning tasks. Furthermore, any member of the HSM groupmay enroll a new HSM to the group. Any HSM 140 a-c in the group mayperform a backup that can be restored by any other member of the groupfor use in event of a failure. As already described above, this requiresthe group to always have at least one active member that can introduce anew HSM into its group.

For allowing to uniquely identify each HSM in the group of secure HSM140 a-c, each HSM is configured to implement the identification schemedescribed in the following under further reference to FIG. 4 .

In an embodiment, the group membership may be viewed as a tree branchingout from the first secure HSM 140 a (i.e. the initial trunk) to multiplebranches, with any branch capable of creating new branches. Each memberHSM receives a simple identity from its parent HSM (the original HSM 140a has the identity “1”) which is based on the position of its parent inthe tree. So, the first new HSM may have the identity “1.1″, the secondHSM the identity “1.2” and so on. Then if the first new HSM enrollsanother HSM, this will have the identity “1.1.1”. The outcome is thateach HSM receives a designation, i.e. identity that is unique within thetree representing the group of HSMs 140 a-j without having to know howmany new HSMs have been created by other existing HSMs within the group,with whom it has no communications to find out.

As will be appreciated, by the designation scheme illustrated in FIG. 4the HSMs 140 a-j of a group given an identity that is guaranteed to beunique within the group. The unique identity allows operations where itis important the group does the operation once only. Any HSM 140 a-j ofthe group has the ability to augment the group with new HSMs, which isuseful for instance if the first HSM 140 a fails, allowing the remainingHSMs to enroll new group members.

Although an HSM in a group may appear exactly the same as any othermember, for operations such as logging which is essential for auditchecks it becomes possible to identify which specific member of thegroup performed an operation such as creating a device identity. It alsopermits providing permission to a specific member of the group toperform provisioning operations that theoretically any HSM would becapable of doing as they all hold OEM private keys via the enrolmentprocess described above.

As will be appreciated, the designations shown in FIG. 4 , such as “1”,“1.1” and the like, are only options and that other types ofdesignations defining a hierarchical tree structure may be used, such as“a.b.a”, “AAC” and the like.

FIG. 5 shows a flow diagram illustrating steps of a method 500 foroperating the provisioning control apparatus 140 a. The method 500comprises the steps of:

-   generating 501 a group context for creating a group of provisioning    control apparatuses 140 a-c;-   generating 503 the security sensitive provisioning data 150 based on    the group context;-   providing 505 the security sensitive provisioning data 150 to the    provisioning equipment server 160; and-   providing 507 the group context to a security server 120 for    generating a proxy provisioning control apparatus 120 a on the    security server 120, wherein the proxy provisioning control    apparatus 120 a is configured to provide the group context to a    first further provisioning control apparatus 140 c for enrolling the    first further provisioning control apparatus 140 c for the group of    provisioning control apparatuses 140 a-c, wherein the first further    provisioning control apparatus 140 c is configured to be coupled to    the provisioning equipment server 160.

While a particular feature or aspect of the disclosure may have beendisclosed with respect to only one of several implementations orembodiments, such feature or aspect may be combined with one or moreother features or aspects of the other implementations or embodiments asmay be desired and advantageous for any given or particular application.

Furthermore, to the extent that the terms “include”, “have”, “with”, orother variants thereof are used in either the detailed description orthe claims, such terms are intended to be inclusive in a manner similarto the term “comprise”. Also, the terms “exemplary”, “for example” and“e.g.” are merely meant as an example, rather than the best or optimal.The terms “coupled” and “connected”, along with derivatives may havebeen used. It should be understood that these terms may have been usedto indicate that two elements cooperate or interact with each otherregardless whether they are in direct physical or electrical contact, orthey are not in direct contact with each other.

Although specific aspects have been illustrated and described herein, itwill be appreciated by those of ordinary skill in the art that a varietyof alternate and/or equivalent implementations may be substituted forthe specific aspects shown and described without departing from thescope of the present disclosure. This application is intended to coverany adaptations or variations of the specific aspects discussed herein.

Although the elements in the following claims are recited in aparticular sequence, unless the claim recitations otherwise imply aparticular sequence for implementing some or all of those elements,those elements are not necessarily intended to be limited to beingimplemented in that particular sequence.

Many alternatives, modifications, and variations will be apparent tothose skilled in the art in light of the above teachings. Of course,those skilled in the art readily recognize that there are numerousapplications of the invention beyond those described herein. While thepresent invention has been described with reference to one or moreparticular embodiments, those skilled in the art recognize that manychanges may be made thereto without departing from the scope of thepresent invention. It is therefore to be understood that within thescope of the appended claims and their equivalents, the invention may bepracticed otherwise than as specifically described herein.

1. A provisioning control apparatus configured to be coupled to aprovisioning equipment server, the provisioning equipment server beingelectrically connectable with one or more electronic devices forprovisioning the electronic devices with security sensitive provisioningdata, wherein the provisioning control apparatus comprises: a processorconfigured to generate a group context for creating a group ofprovisioning control apparatuses; wherein the processor is furtherconfigured to generate the security sensitive provisioning data based onthe group context, wherein the provisioning control apparatus furthercomprises a communication interface configured to provide the securitysensitive provisioning data to the provisioning equipment server;wherein the communication interface is further configured to provide thegroup context to a security server for generating a proxy provisioningcontrol apparatus on the security server, wherein the proxy provisioningcontrol apparatus is configured to provide the group context to a firstfurther provisioning control apparatus for enrolling the first furtherprovisioning control apparatus for the group of provisioning controlapparatuses, wherein the first further provisioning control apparatus isconfigured to be coupled to the provisioning equipment server.
 2. Theprovisioning control apparatus of claim 1, wherein the communicationinterface is further configured to provide the group context to a secondfurther provisioning control apparatus for enrolling the second furtherprovisioning control apparatus for the group of provisioning controlapparatuses, wherein the second further provisioning control apparatusis configured to be coupled to the provisioning equipment server.
 3. Theprovisioning control apparatus of claim 1, wherein the communicationinterface is further configured to receive one or more wrapped OEM keysfrom a remote OEM server and wherein the processor is configured tounwrap the one or more wrapped OEM keys based on the group context andto generate the security sensitive provisioning data based on the one ormore OEM keys.
 4. The provisioning control apparatus of claim 3, whereinthe one or more OEM keys comprise an OEM certificate.
 5. Theprovisioning control apparatus of claim 1, wherein the group contextcomprises a group private key, a certificate for the group private keyand a group encryption key used for encryption and/or decryption.
 6. Theprovisioning control apparatus of claim 1, wherein the processor isfurther configured to assign an identity to the first furtherprovisioning control apparatus, wherein the identity of the firstfurther provisioning control apparatus is indicative of the provisioningcontrol apparatus and the first further provisioning control apparatus.7. The provisioning control apparatus of claim 6, wherein the processoris further configured to assign an identity to a second furtherprovisioning control apparatus, wherein the identity of the secondfurther provisioning control apparatus is indicative of the provisioningcontrol apparatus and the second further provisioning control apparatus.8. A provisioning control apparatus configured to be coupled to aprovisioning equipment server, the provisioning equipment server beingelectrically connectable with one or more electronic devices forprovisioning the one or more electronic devices with security sensitiveprovisioning data, wherein the provisioning control apparatus comprises:a communication interface configured to receive a group contextgenerated by a first further provisioning control apparatus from a proxyprovisioning control apparatus on a security server for creating a groupof provisioning control apparatuses; and a processor configured togenerate the security sensitive provisioning data based on the groupcontext, wherein the communication interface is further configured toprovide the security sensitive provisioning data to the provisioningequipment server.
 9. The provisioning control apparatus of claim 8,wherein the communication interface is further configured to receive oneor more wrapped OEM keys from a remote OEM server and wherein theprocessor is configured to unwrap the one or more wrapped OEM keys basedon the group context and to generate the security sensitive provisioningdata based on the one or more OEM keys.
 10. The provisioning controlapparatus of claim 9, wherein the one or more OEM keys comprise an OEMcertificate.
 11. The provisioning control apparatus of claim 8, whereinthe group context comprises a group private key, a certificate for thegroup private key and a group encryption key used for encryption and/ordecryption.
 12. The provisioning control apparatus of claim 8, whereinthe communication interface is further configured to provide the groupcontext to a second further provisioning control apparatus for enrollingthe second further provisioning control apparatus in the group ofprovisioning control apparatuses, wherein the second furtherprovisioning control apparatus is configured to be coupled to theprovisioning equipment server for provisioning the electronic deviceswith the security sensitive provisioning data.
 13. The provisioningcontrol apparatus of claim 12, wherein the communication interface isfurther configured to receive an identity from the first furtherprovisioning control apparatus or the proxy provisioning controlapparatus on a security server, wherein the identity of the provisioningcontrol apparatus is indicative of the provisioning control apparatusand the first further provisioning control apparatus.
 14. Theprovisioning control apparatus of claim 13, wherein the processor isconfigured to assign an identity to the second further provisioningcontrol apparatus, wherein the identity of the second furtherprovisioning control apparatus is indicative of the provisioning controlapparatus, the first further provisioning control apparatus and thesecond further provisioning control apparatus.
 15. A provisioning systemcomprising: a provisioning control apparatus including a processorconfigured to generate a group context for creating a group ofprovisioning control apparatuses; wherein the processor is furtherconfigured to generate the security sensitive provisioning data based onthe group context, wherein the provisioning control apparatus furthercomprises a communication interface configured to provide the securitysensitive provisioning data to the provisioning equipment server;wherein the communication interface is further configured to provide thegroup context to a security server for generating a proxy provisioningcontrol apparatus on the security server, wherein the proxy provisioningcontrol apparatus is configured to provide the group context to a firstfurther provisioning control apparatus for enrolling the first furtherprovisioning control apparatus for the group of provisioning controlapparatuses, wherein the first further provisioning control apparatus isconfigured to be coupled to the provisioning equipment server; aprovisioning control apparatus according to claim 8; a remote securityserver comprising a proxy provisioning control apparatus; and aprovisioning equipment server being electrically connectable with one ormore electronic devices for provisioning the one or more electronicdevices with the security sensitive provisioning data.
 16. A method foroperating a provisioning control apparatus configured to be coupled to aprovisioning equipment server, the provisioning equipment server beingelectrically connectable with one or more electronic devices forprovisioning the one or more electronic devices with security sensitiveprovisioning data, wherein the method comprises: generating a groupcontext for creating a group of provisioning control apparatuses;generating the security sensitive provisioning data based on the groupcontext; providing the security sensitive provisioning data to theprovisioning equipment server; and providing the group context to asecurity server for generating a proxy provisioning control apparatus onthe security server, wherein the proxy provisioning control apparatus isconfigured to provide the group context to a first further provisioningcontrol apparatus for enrolling the first further provisioning controlapparatus for the group of provisioning control apparatuses, wherein thefirst further provisioning control apparatus is configured to be coupledto the provisioning equipment server.